Citrix ADC SSL Profiles Validated Reference Design

October 8, 2018

Overview

Citrix ADC summary

Citrix ADC is an all-in-one application delivery controller that makes applications run up to five times better, reduces application ownership costs, optimizes the user experience, and ensures that applications are always available by using:

As an undisputed leader of service and application delivery, Citrix ADC is deployed in thousands of networks around the world to optimize, secure, and control the delivery of all enterprise and cloud services. Deployed directly in front of web and database servers, Citrix ADC combines high-speed load balancing and content switching, http compression, content caching, SSL acceleration, application flow visibility, and a powerful application firewall into an integrated, easy-to-use platform. Meeting SLAs is greatly simplified with end-to-end monitoring that transforms network data into actionable business intelligence. Citrix ADC allows policies to be defined and managed using a simple declarative policy engine with no programming expertise required.

Overview Citrix ADC SSL profiles

You can use an SSL profile to specify how a Citrix ADC processes SSL traffic. The profile is a collection of SSL parameter settings for SSL entities, such as virtual servers, services, and service groups, and offers ease of configuration and flexibility. You are not limited to configuring only one set of global parameters. You can create multiple sets (profiles) of global parameters and assign different sets to different SSL entities. SSL profiles are classified into two categories:

Front-end profiles, containing parameters applicable to the front-end entity. That is, they apply to the entity that receives requests from a client.

Back-end profiles, containing parameters applicable to the back-end entity. That is, they apply to the entity that sends client requests to a server.

Unlike a TCP or HTTP profile, an SSL profile is optional. Once SSL Profiles (a global parameter) is enabled, all SSL endpoints inherit default profiles. The same profile can be reused across multiples entities. If an entity does not have a profile attached, the values set at the global level apply. For dynamically learned services, current global values apply.

Compared to the alternate way that requires configuration of SSL parameters, ciphers, and ECC curves on individual SSL endpoints, SSL Profiles on Citrix ADC simplify configuration management by acting as a single point of SSL configuration for all related endpoints. Furthermore, configuration problems such as cipher reordering and downtime when ciphers are reordered are solved with the use of SSL Profiles.

SSL Profiles help in setting required SSL parameters and cipher bindings on those SSL endpoints on which traditionally one could not set these parameters and bindings. SSL Profiles can be set on secure monitors as well.

The following table lists the parameters that are part of each profile:

Front End Profile

Backend Profile

cipherRedirect, cipherURL

denySSLReneg

clearTextPort*

encryptTriggerPktCount

clientAuth, clientCert

nonFipsCiphers

denySSLReneg

pushEncTrigger

dh, dhFile, dhCount

pushEncTriggerTimeout

dropReqWithNoHostHeader

pushFlag

encryptTriggerPktCount

quantumSize

eRSA, eRSACount

serverAuth

insertionEncoding

commonName

nonFipsCiphers

sessReuse, sessTimeout

pushEncTrigger

SNIEnable

pushEncTriggerTimeout

ssl3

pushFlag

sslTriggerTimeout

quantumSize

strictCAChecks

redirectPortRewrite

TLS 1.0, TLS 1.1, TLS 1.2

sendCloseNotify

sessReuse, sessTimeout

SNIEnable

ssl3

sslRedirect

sslTriggerTimeout

strictCAChecks

tls1, tls11, tls12

*The clearTextPort parameter applies only to an SSL virtual server.

An error message appears if you try to set a parameter that is not part of the profile (for example, if you try to set the clientAuth parameter in a backend profile).

Some SSL parameters, such as CRL memory size, OCSP cache size, UndefAction Control, and UndefAction Data, are not part of any of the above profiles, because these parameters are independent of entities. These parameters are present in Traffic Management > SSL > Advanced SSL Settings.

An SSL profile supports the following operations:

Add—Creates an SSL profile on the Citrix ADC. Specify whether the profile is front end or back end. Front end is the default.

Set—Modifies the settings of an existing profile.

Unset—Sets the specified parameters to their default values. If you do not specify any parameters, an error message appears. If you unset a profile on an entity, the profile is unbound from the entity.

Remove—Deletes a profile. A profile that is being used by any entity cannot be deleted. Clearing the configuration deletes all the entities. As a result, the profiles are also deleted.

Bind—Binds a profile to a Vserver.

Unbind—Unbinds a profile from a Vserver.

Show—Displays all the profiles that are available on the Citrix ADC. If a profile name is specified, the details of that profile are displayed. If an entity is specified, the profiles associated with that entity are displayed.

Any new endpoint created gets corresponding default SSL profile bound.

It is possible to change the SSL parameters and ciphers of default SSL profiles. This ensures that customers can change the settings and bindings at one point which gets referenced by corresponding endpoints.

Important:

Save your configuration before you upgrade the software and enable the default profiles.

Upgrade the software to a build that supports the enhanced profile infrastructure, and then enable the default profiles. You can take one of two approaches depending on your specific deployment. If your deployment has a common SSL configuration across end points, see Use Case 1. If your deployment has a large SSL configuration and the SSL parameters and ciphers are not common among end points, see Use Case 2.

After upgrading the software, if you enable the profile, you cannot reverse the changes. That is, the profile cannot be disabled. Therefore, the only way to reverse the change is to reboot using the old configuration.

Note: A single operation (Enable Default Profile or set ssl parameter -defaultProfile ENABLED) enables (binds) both the default front-end profile and the default back-end profile.

Note: Default SSL profiles are now available for clustering starting from v11.1

To save the configuration by using the Citrix ADC command line, at the command prompt, type:

Use case 1

After you enable the default profiles, they are bound to all the SSL end points. The default profiles are editable. If your deployment uses most of the default settings and changes only a few parameters, you can edit the default profiles. The changes are immediately reflected across all the end points.

The following flowchart explains the steps that you must perform:

For information about upgrading the software, see Upgrading the System Software.

Enable the default profiles by using the Citrix ADC command line or GUI.

At the command line, type: set ssl profile <name> followed by the parameters to modify.

If you prefer to use the GUI, navigate to System > Profiles. In SSL Profiles, select a profile and click Edit.

Use case 2

If your deployment uses specific settings for most of the SSL entities, you can run a script that automatically creates custom profiles for each end point and binds them to the end point. Use the procedure detailed in this section to retain the SSL settings for all the SSL end points in your deployment. After upgrading the software, download and run a migration script to capture the SSL-specific changes. The output of running this script is a batch file. Enable the default profiles and then apply the commands in the batch file. See the appendix for a sample migration of the SSL configuration after upgrade.

The following flowchart explains the steps that you must perform:

For information about upgrading the software, see Upgrading the System Software.

Download and run a script to capture the SSL-specific changes. In addition to other migration activities, the script analyzes the old ns.conf file and moves any special settings (other than the default) from an SSL end point configuration to a custom profile. You must enable the default profiles after the upgrade for the configuration changes to apply.

To download the script, log on to https://www.citrix.com/. On the Downloads tab, select Citrix ADC, and then select the release (for example, Release 12.0). Within the release, in Firmware, select a build. The SSL Default Profile Script is available in Additional Components.

Note: When running the migration script, you can choose to automatically generate the profile names, or you can prompt the user for the profile names interactively. The migration script, checks the following and creates pro-files accordingly.

End points with the default settings and similar ciphers and cipher group settings: The script creates one profile.

End points with the default settings and with different cipher groups or different priorities for the Ciphers/cipher groups: In each case, the script creates a user-defined cipher group, binds it to a profile, and binds each profile to the appropriate end points.

End points with the default settings and default ciphers: A default profile is bound to the end point.

To run the script, at the command prompt, type:

./default_profile_script /nsconfig/ns.conf -b > <output file name>`

You must run this command from the folder in which you store the script.

Enable the default profiles by using the Citrix ADC command line or GUI.

Custom SSL profiles

Besides the default SSL profiles, customers can create custom front-end and back-end SSL profiles for specific use cases. There can be scenarios where different applications need different ciphers and SSL parameters. In those cases, customers can create new profiles and bind them to endpoints.

There is no upper limit on the number of custom profiles which can be created in a system.

Visit SSL Profiles documentation for information on how to enable SSL profiles and more.

SSL back-end profiles

Back-end profiles are related to SSL type services, service groups, and secure monitors. Services and service groups of following type support Back-end profiles – SSL, SSL_TCP, SIP_SSL, SSL_FIX, SSL_DIAMETER.

Some monitors can be configured to check the health of backend servers over secure connections. SSL profiles can be bound to such monitors to configure the SSL parameters and ciphers. Such monitors are – HTTP, HTTP-ECV, HTTP-INLINE, TCP, and TCP-ECV.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

THIS SERVICE MAY CONTAIN TRANSLATIONS POWERED BY GOOGLE. GOOGLE DISCLAIMS ALL WARRANTIES RELATED TO THE TRANSLATIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, RELIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.